javascriptsin the javascripts

ffconf 2014

andy wingo

thees6circusiscomingtotown

es-discuss clownshoes

C++ knife-jugglers

JavaScript acrobats

buildinges.nextines.now

Hark, an agenda:

Why?❧

How: JavaScriptCore❧

How: SpiderMonkey❧

How: V8❧

whyimplementjs injs?

js isfasterthanc++

js isfasterthanc++

JS can optimize in ways that C++ can’t

dynamic inlining❧

inline allocation (and possiblyscalar replacement)

❧

inline hard-wiring of user objectshapes (slot offsets, getters)

❧

js isfasterthanc++

No JS/C++ transition cost

Especially important for callbacks (e.g.forEach)

js isfasterthanc++

JavaScriptCore’s Oliver Hunt, January2014:

“The initial proof of concept isArray.prototype.every, this shows a65% performance improvement, andthat improvement is significantly hurtby our poor optimisation of op_in.”

jsmatchesjssemanticsbetter

Proxies, accessors, order of effects,has-property versus get-property,user-implemented iteration protocol,exceptions, catch

Terse:for (var x of y) z(x);

jsmoresecurethanc++

GC-related bugs approximatelyimpossible

SM, V8; JSC immune❧

No C++ knife-throwing work-relatedaccidents

integer overflow, use-after-free, etc❧

Cross-iframe leakage concernslessened

choosyhackerschoosejs

Goal: As much in JS as possible

For speed, for security, formaintainability

How?

simplestmodel:javascriptcore

“Methods can be implemented in JS”

example Source/JavaScriptCore/builtins/Array.prototype.jsfunction foo() { return 'ahoy ffconf';}

Source/JavaScriptCore/runtime/ArrayPrototype.cppfoo arrayProtoFuncFoo DontEnum|Function 0

weirdjs: jscedition

Function source compiled separately

Access to globals forbidden in general

Initial values of globals accessible via @prefix, e.g. @Object

Add @call and @apply

http://svn.webkit.org/repository/webkit/trunk@163195

morecomplicated:spidermonkey

“Self-hosted JS” files concatenated andevaluated – more normal model

C++ binds functions by name toprototype properties

feature:es.next‘pipelines’

Old SpiderMonkey:(x*2 for (x in [0,1,2].keys()))

Erstwhile ES6:(for (x of [0,1,2].keys()) x*2)

Maybe ES7:[0,1,2].keys().map(x=>x*2)

Ideally on IteratorPrototype, butlet’s hack it

example js/src/builtin/Iterator.jsfunction* IteratorMap(f) { for (var x of this) yield f(x);}

example No function* at boot-time :(

But, ES6 object literalsfunction IteratorMap(f) { var iter = this[std_iterator](); return { next(val) { var result = iter.next(val) return result.done ? result : { value: callFunction(f, iter, result.value), done: false }; }, [std_iterator]: IteratorIdentity, }}

example Link to C++ files; grep for surroundingidentifiers, make similar modifications(e.g. in jsiter.cpp)js> for (var x of [1,2,3].keys().map(x=>x*2)) print(x)024

nerfthewebforward

nerfthewebforward

Your search - "nerf the web forward" -did not match any documents.

nerfthewebforward

(like, nerf is like a more resilientpolystyrene foam)

nerfthewebforward

(the more joke explanation slides, themore amusing the joke, right?)

nerfthewebforward

(right?)

caveats @@iterator called before or after firstnext()?

Prototype chain of the result of map()?

Should final result.value bemapped?

%IteratorPrototype%

No spec; spec wonkiness

throw()?

next() applied to different object?

v8 Story time!

languagesarelikeoperatingsystems

Visit a page : Install an app

Visit about:blank : Boot OS

Weird self-hosted JS part of OS, notapp

genesis In the beginning, there was the emptyfunction

and the Object function

and its prototype property

genesis And Goog looked upon it and saw thatit was good

genesis Then the strict mode function “maps”(hidden classes)

Then the first global object

Then Array, Number, Boolean, String,Symbol, Date, RegExp, JSON,ArrayBuffer, the TypedArrays, Map,Set, iterator result shapes, WeakMap,WeakSet, arguments object shapes, ...

genesis And Goog looked upon them and sawthat they were good

genesis And Goog looked upon them and sawthat they were good

But FFS it’s a lot of C++, innit?

how 2js

Problem: Need to define helpers in JS,but they shouldn’t be in the user’sscope

Solution: Second global object for self-hosted JS to play in; natives mutate toproduce a more beautiful global

builtins,globals

Global: A global object, correspondingto a user-facing script-level scope

builtins: The global object currentwhen self-hosted JS is being defined

In builtins, user-facing global boundto global

Somewhat confusingly, in V8, “self-hosted JS facilities” are called “natives”

on theseventhday

So, “natives”. That’s JavaScript y’all!

example src/generator.jsfunction* GeneratorObjectMap(f) { for (var x of this) yield f(x);}

weirdjs, v8edition

Verbs

% prefix for low-level C++ runtimefunctions (--allow-natives-syntax)

❧

%_ prefix for magical “inline”runtime functions (%_CallFunction,%_IsSmi)

❧

macros (TO_UINT32, IS_NUMBER)❧

weirdjs, v8edition

Nouns too

global❧

InternalArray (to allow builtins touse .push() without worryingabout user pollution)

❧

Suggested reading order

runtime.js❧

v8natives.js❧

array.js❧

snapshots Lots of work amirite?

Optimization: Serialize heap of new-born world

Load fresh heap from disk to “boot”

Necessary in context of Chrome’smulti-process model

note:thedom issomethingelse

“Blink-in-JS”

Kentaro Haro: DOM binding overheadis 5-15% in real web

DOM objects live in a 1-to-Nrelationship to V8 globals

Search for “Hardening security ofcontent scripts”

butseriously

Strict spec reading

Strict spec translation (optimize later ifever)

Tests (especially proxies, getters, orderof operations)

Patch submission

Feature flags (in v8)

tx nerf the web forward!

wingo@igalia.com

http://wingolog.org/

.

big kid circus, by ray forster: https://www.flickr.com/photos/94418464@N08/8686092191